XML External Entity (XXE) Injection in expat

Do your applications use this vulnerable package? Test your applications

Overview

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

References

Bugtraq Mailing List
CONFIRM
CVE Details
Debian Security Advisory
Debian Security Announcement
Debian Security Tracker
FEDORA
FEDORA
GENTOO
GitHub Commit
GitHub Issue
GitHub PR
MISC
MISC
MISC
N/A
Netapp Security Advisory
SUSE
Ubuntu CVE Tracker
Ubuntu Security Advisory
Ubuntu Security Advisory

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

None
Availability

High

CVE: CVE-2018-20843
CWE: CWE-611
Snyk ID: SNYK-ALPINE39-EXPAT-453353
Disclosed: 24 Jun, 2019
Published: 24 Jun, 2019

XML External Entity (XXE) Injection
Affecting expat package, versions <2.2.7-r0

Overview

References

CVSS Score

XML External Entity (XXE) Injection Affecting expat package, versions <2.2.7-r0

Overview

References

XML External Entity (XXE) Injection
Affecting expat package, versions <2.2.7-r0